The hackers demanded 15 bitcoin, or about $6,000, from ProtonMail to halt the attacks.
Photograph: Ted Soqui/Corbis

ProtonMail, a Switzerland-based encrypted email provider, was forced offline on Thursday after hackers held the company’s internet connection for ransom by using a distributed denial of service (DDoS) attack.

“ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state sponsored actors,” the company said. “It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us.”

The ransom was only for 15 bitcoin, or about $6,066, but the attacks did not stop when it was paid.

ProtonMail is founded by scientists from European Organization for Nuclear Research, or Cern. It has become widely known in the US since its appearance on popular USA network drama Mr Robot.

“We are still poring over the evidence and will be working with the Swiss federal cybercrime unit,” ProtonMail co-founder Andy Yen told the Guardian, adding that the source of the second attack had not yet been conclusively determined. Yen also said that he knew of “several dissident groups who are actively using ProtonMail”, and are based in countries known for hacking attacks.

“But we know after speaking with the experts that came to our aid that there are few groups capable of carrying out an attack of this size and sophistication. This is likely the biggest and most sophisticated DDoS attack to ever occur in Switzerland,” Yen said.

While the type of attack is common, ProtonMail said the DDoS directed at it was “unprecedented in size and scope” in a blogpost on the assault. The hackers probably responsible for the first, smaller attack go by the name Armada Collective and have come to the attention of Swiss authorities for extorting “high-value targets” in the recent past.

The Swiss governmental computer emergency response team said that the group typically demands a ransom in bitcoin and then demonstrates its abilities with a brief DDoS attack, followed by a longer attack if the target doesn’t immediately pay. Their emails usually read “Ransom request: DDOS ATTACK!” according to the team.

ProtonMail said it “grudgingly agreed” to pay the ransom after pressure to mitigate damage to the other customers of ProtonMail’s ISP and data center, which were affected by the attack, but the attacks continued even after ProtonMail paid up. The email provider emphasized that it had not been breached, merely disabled. “Even though access is limited, an important thing to note is that our core end-to-end encryption holds strong and is 100% untouched. All user data is fine and safe.”

Yen said that the attack was unlike anything seen in the country. “The attack against us was unprecedented for Switzerland, and the attackers took down an ISP and entire datacenter just to take us down,” Yen said. “The solutions to defend are also complex and will take time to implement.”

• This article was amended on 6 November 2015 to reflect that ProtonMail is not headquartered at Cern, but was founded by scientists from Cern.